发表新帖
发表新帖

Permission denied error invoking Docker on Mac host from inside Docker Ubuntu container as non-root user

前端 未结
关注
3 1729
不要未来只要你来
不要未来只要你来 2021-02-15 17:03

I\'m trying to invoke docker on my OSX host running Docker for Mac 17.06.0-ce-mac17 from inside a running jenkins docker container (jenkins:latest), per the procedure described

3条回答
  • 你的背包
    你的背包 (楼主)
    2021-02-15 17:33

    I got this working, at least automated but currently only working on docker for Mac. Docker for Mac has a unique file permission model. Chowning /var/run/docker.sock to the jenkins user manually works, and it persists across container restarts and even image regeneration, but not past docker daemon restarts. Plus, you can't do the chown in the Dockerfile because docker.sock doesn't exist yet, and you can't do it in the entrypoint because that runs as jenkins.

    So what I did was add jenkins to the "staff" group, because on my Mac, /var/run/docker.sock is symlinked down into /Users//Library/Containers/com.docker.docker/Data/‌​s60 and is uid and gid staff. This lets the jenkins user run docker commands on the host.

    Dockerfile:

    FROM jenkins:latest

USER root

RUN \
    apt-get update && \
    apt-get install -y build-essential && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

COPY docker /usr/bin/docker

# To allow us to access /var/run/docker.sock on the Mac
RUN gpasswd -a jenkins staff

USER jenkins

ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]

    docker-compose.yml file:

    version: "3"
services:
  jenkins:
    build: ./cd_jenkins
    image: cd_jenkins:latest
    ports:
      - "8080:8080"
      - "5000:5000"
    volumes:
      - ./jenkins_home:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock

    This is, however, not portable to other systems (and depends on that docker for mac group staying "staff," which I imagine isn't guaranteed). I'd love suggested improvements to make this solution work across host systems. Other options suggested in questions like Execute docker host command inside jenkins docker container include:

    • Install sudo and let jenkins sudo and run all docker commands with sudo: adds security issues
    • "Add jenkins to the docker group" - UNIX only and probably relies on matching up gids from host to container right?
    • Setuid'ing the included docker executable might work, but has the same security elevation issues as sudo.

    0 讨论(0)
 看不清?
提交回复
热议问题